Malware Analysis Report

2024-10-18 23:40

Sample ID 240814-1a9y1sware
Target 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613
SHA256 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613
Tags
amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613

Threat Level: Known bad

The file 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613 was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies registry class

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-14 21:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-14 21:27

Reported

2024-08-14 21:30

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fb3b92899b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\fb3b92899b.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 748 set thread context of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 set thread context of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\4684fd6485.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5092 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5092 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4832 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe
PID 4832 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe
PID 4832 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe
PID 748 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 748 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4832 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4684fd6485.exe
PID 4832 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4684fd6485.exe
PID 4832 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\4684fd6485.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4856 wrote to memory of 3596 N/A C:\Users\Admin\1000037002\4684fd6485.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4832 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe
PID 4832 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe
PID 4832 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe
PID 2144 wrote to memory of 728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2144 wrote to memory of 728 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 868 wrote to memory of 2092 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe

"C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\4684fd6485.exe

"C:\Users\Admin\1000037002\4684fd6485.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c25d8d45-a14a-42c6-bf8d-0772a8482622} 868 "\\.\pipe\gecko-crash-server-pipe.868" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aee996c0-0a38-4e2c-b0e8-1518d2d73e26} 868 "\\.\pipe\gecko-crash-server-pipe.868" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2904 -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2916 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d332acf2-5732-4b12-8e91-c815ad7e082f} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 1308 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a03baaa0-8a49-4746-82ba-5e269a913d96} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4596 -prefMapHandle 4592 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4b2b312-1979-42f8-bd0a-8c46a765b210} 868 "\\.\pipe\gecko-crash-server-pipe.868" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5352 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {719b5434-83c8-4e81-acd2-bae0e610c428} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 4 -isForBrowser -prefsHandle 5600 -prefMapHandle 5596 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8131d2ac-7f63-4ffc-a494-7c35979f5398} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c820fa59-ad86-4877-8e1e-bec0298b50d7} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6252 -childID 6 -isForBrowser -prefsHandle 6296 -prefMapHandle 6276 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1184 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69ccddf8-dd7f-4fa0-94ea-3d62241f8fe3} 868 "\\.\pipe\gecko-crash-server-pipe.868" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
N/A 127.0.0.1:63261 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
NL 108.177.127.84:443 accounts.google.com udp
N/A 127.0.0.1:63268 tcp
US 8.8.8.8:53 84.127.177.108.in-addr.arpa udp
US 8.8.8.8:53 18.88.81.35.in-addr.arpa udp
US 8.8.8.8:53 227.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
FR 216.58.214.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
FR 216.58.214.174:443 www3.l.google.com udp
US 8.8.8.8:53 174.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
FR 172.217.20.196:443 www.google.com udp
US 8.8.8.8:53 174.201.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.20.217.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 34.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
FR 216.58.214.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 play.google.com udp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
US 8.8.8.8:53 40.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/5092-0-0x0000000000B20000-0x0000000000FDD000-memory.dmp

memory/5092-1-0x0000000077BF4000-0x0000000077BF6000-memory.dmp

memory/5092-2-0x0000000000B21000-0x0000000000B4F000-memory.dmp

memory/5092-3-0x0000000000B20000-0x0000000000FDD000-memory.dmp

memory/5092-4-0x0000000000B20000-0x0000000000FDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 16a0efa2b6695032ed7c293ac609b548
SHA1 3c00ff7eb82cbb8439b3499f468000fd1ffaa12a
SHA256 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613
SHA512 cffae5effbf09dfed4625a28385578f1c27f6caa10f691406a3fa8eeed4d6749217d9e2ae806256aca1acbb597d37bf726bfa07901fdb64854a297a4da28ca26

memory/5092-17-0x0000000000B20000-0x0000000000FDD000-memory.dmp

memory/4832-18-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-19-0x0000000000521000-0x000000000054F000-memory.dmp

memory/4832-20-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-21-0x0000000000520000-0x00000000009DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe

MD5 929e5d8768ad2142515bc380fb050012
SHA1 857996d4d7f7d75cf8f8839c6d51c53825286017
SHA256 2a7cb9a967e2842a517b585b92a07e0542d4a330e602b633439b71c9c386e9e1
SHA512 446eff6fe391873573879584d89cb75f15d0b6301c0eca21736647740bdbeb109171d95fc7b13bcf89826dc2dd838bf0d12bfd7d9608b5022f1e24028703f66f

memory/748-40-0x000000007380E000-0x000000007380F000-memory.dmp

memory/748-41-0x00000000008F0000-0x0000000000A42000-memory.dmp

memory/2144-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2144-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2144-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\4684fd6485.exe

MD5 7bdc4dd6037f1f49611576c723466332
SHA1 a7cbc0ee6529f261db5d164b3e502b36d2c8bcef
SHA256 f13cdb9370460f2909bf758ffd985178fe657a4ab0ef8f40ed6931637dda4b73
SHA512 a914b56d4c2c4a8dd1f8d2a8fdd8956741e1fc98836b5845e62a4737fba0a7ad854fba341ce94034b4a4c8f665e7a61ab8f1cd5a020da19207695909322fe637

memory/4856-66-0x0000000000090000-0x00000000000E8000-memory.dmp

memory/3596-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/3596-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\98f682bca6.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/2560-86-0x0000000000F50000-0x0000000001193000-memory.dmp

memory/2560-87-0x0000000000F50000-0x0000000001193000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\e9f48ae5-df4b-49a3-a7d4-afcd238b6049

MD5 adc74d5d5c25717b200a4f7a322fe5a3
SHA1 96cb00c6443432c33b5423ce6644315f6ab7f5e9
SHA256 b7b937f6fcb8bd2664aad1ee1ab9f35cafc2de3dbd7c1ef2b2703b070c42c953
SHA512 eaeae677c15d33e74ddb844fc4542dc44c1970c116c28bc0276586b3de305e4cb1ebcdadeff727407f6894b6045b6164a482976522a37a93c69c0fba1f0ccc63

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\7dfec531-c2be-4284-8f28-253f108ce822

MD5 ee6ffe75dc3f7e50d9cce3ac6285ed84
SHA1 c5f504b4ddce2d355053d1056f31e27c97de94eb
SHA256 fca59843bc3b5201186269a7c949c422f78bf93b75b9b998048f4e8e0c86d2f7
SHA512 5b4a590726cbd230b7872e00268c4a4773fc1e308ccbb5a65799e400c411f7cf65369e3410bc2b36a343041dbcbc1c66ba1fa48163c423415fd8d9b6ea555f12

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\69d0302c-3f0c-4cef-b84b-7c6f7c213fe1

MD5 a58aea079ba8e89792f4acb9d45dc5d7
SHA1 d34cbdb834b8316a43582245f2abda36dd4b8882
SHA256 3ab39664ecb432cad6693707f81f47151355c133b2864086b1c4e94d458b208a
SHA512 86bc37e5c33f583b00aa1691d3def91e64104a611298dac657ff48354849f740914162755bbcd66beb6ed247380e73de4c2939a70541e98d4d5cc6cb0cd2c50c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 32fa78c473f4f0a48358a6a3e085ae01
SHA1 ab5af836444a1ecb0d17b6c67fd4c1a6fbc760cd
SHA256 1cefc2f6587acbbe1dc353a6ecc1e511f16e96a394c56d31b3718da3f89c0c81
SHA512 6e0fa953d7c7b10b2a2f19eea64b83df94d2eda77b68ef4ee7d0fba3e0ffc6f15ff4e12195c82939ede01f4e731a616ee9b776ac6cfe1b54507abafb52dbb9cc

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 d5c2bd7e5e223f07281e0d93f7027fe9
SHA1 d98a828937ee7bf47c51a8f0098a40b997afd3db
SHA256 838d98459a53ef527261a7e35fb23e36440a8fbd72934569a1d25a05f82f598e
SHA512 8da6b592a4811070f316d831479baa5744316a75d11fdc7ce8f9f680938a74ddc7ad013d5e3782467df7b2f7a3843548c8f49336ef106bd580ab4f29351c6eeb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 56b1308fd29129087f3bce9403e067dc
SHA1 124487a6433ca47f092404237c52f55fbccc5eb7
SHA256 501c22883fa2b50603098ff9eda44c38e9490ced674802c7cbc06536271a6d11
SHA512 f9ffd614e7cb1c7fa5525c9a62620f3bd852423827ad3f9185767be6d26a44b1eb864362229581a5c99be68fb6d9ae126cd4fb8771bb7907965abd4cd1c6ef5b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 a4d7e1c9c1c3857b89b13598a3746ec3
SHA1 344dd3912ecfb3f352d8b09fdf4d3467d38a023b
SHA256 a86411ca90422e50e40be49d7166f95e31669ea2133e6822f325116fca087b9e
SHA512 5c606b3761212f52417936243ad3e07d8c844c8c28eb6b83078323e0b215a823e2fbb517fe4aa48eac0793fdbbf017a09582def429c335f46bcd36aa4d942bb0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

MD5 a0ae0dfe0d5a90a9a3ba5c0843512b4e
SHA1 c8abb9f553eceb07ef9eecf52609409dad78c50a
SHA256 4ef1574bae5495f4243c18242da9eabf27f2d915e25731875afbd9a7a42315d5
SHA512 f3bdd1a28dc238e082ab073d7f70f8ae675261633253f83ab663d0b8cc31ef91bf2b9aa4e1e9837038ac76cfa76de4fa25cc3f9a031745a93946f53d3f1aa4d5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 e6611004e6ac671b46f9c63b577c0b0f
SHA1 5c6867d26fc3d9354ea266f0b733692c72554615
SHA256 e5f93698d4466957661dcc02b980b534f8b12a12b4b598163a8fc6ddacc92db1
SHA512 e2102134e6ab298d2d2b36b58e02e33b1f73b92a0af0967506dd7f84b7b54413aead3f91af21b2bb57798fda82428bd3fcb16907ce2bc4a9691f64f297110de3

memory/4832-421-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-430-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-433-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-440-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-443-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-444-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-449-0x0000000000520000-0x00000000009DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 0ae3d93f2dfb8118907cd7691147a35a
SHA1 bfd978a91dd3dd69a3991516a01b5022de3ac481
SHA256 593ada1a249db32958751b7bcce8eca15b23ec1330d65881a4fbeb76da92d6bb
SHA512 4e6089652ac7ab8b5946356430e91b1fede8846be56f27b6d3abf9e8a07f416c90c52f9e934c60d6cebd0e726488f9d8751802f5baf728899e6ee6c284e1ca8e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 b7274e6e8a0a16180a9ca0520c417512
SHA1 1cc725b0dcf3141fec2ba4907e586bf98ecb6324
SHA256 840703fa60c6571d16e0cb19a1bca8a53a874d19c3f2660e0ba89fd225490071
SHA512 71a5de619cde9d6c0aa54ee819327982278e79acbc8aedf4f01b1403a61c4cef23c765188a43917b202795fff7b4a1734bd0f3011128184ea1ba1d2766753d8e

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 a0389a0b7f318d67b96a1117ab00cc29
SHA1 370a109f8bfeba0ac4fa734561cce869f42b19c9
SHA256 6df952e6efb28cf1d2ec618fadfce1024093db61d74651e3c47234b0c816999f
SHA512 bf7619015b2d2e9f73465bf1e97448993f674fd48323051daa76c7dc824ec737e23588c769c580dd8f31b1698d6b1bd6af871208744e22f733a4bae32c47f824

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

MD5 34a339491c73c5f6e1d5b8de2924bacf
SHA1 0d68844ceb4c7fdbb3aca58b70937249c1c35113
SHA256 3dd9599a69ee21be10721562806813105e37e1c4c89c97d4e36485e5847c6d48
SHA512 0cd8c2d5e463a3b63fd8d53cdac881f8b1b90f0746205e20922bfc54019bde11d88dbf9f3b6deae0ab1fb818878b21d7ba701380d437e9dc5f4c0a0e20ac7b52

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

MD5 0e56d6a36590aed9de6f004a37da3680
SHA1 82c53053a7769108543cc13e860cd9ed203a1b4d
SHA256 fdbffd33af6fb04342b7671eef8aeaac7acebdd77960d3fef63d04e0c2c85b35
SHA512 47e8d6840391ac2bce3a9288ccd9100fafd7fa2f6186aa4feaddb215027a16eda533755f060051125ec99b0c782e088c3141d0572622a7aedc85ff34f1a5a5ef

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

MD5 d5459249724feb208f2afbf13d05d351
SHA1 e17e49a15b0971141afe3aa07ac959c184e3badd
SHA256 178b1f26a0c1086cf3a2cd3e90de8bc537f7f989b3d838f823b3612265e245e6
SHA512 c680fd12e2724a7626a0d1d89a889309156796a97cb9b878879cad3256c0fa4db55ca95632d311d262f61ecb0461c414dc9cedffe95bfc35d87ee505663684da

memory/4832-862-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-1742-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/2776-2213-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/2776-2223-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2520-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2660-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2667-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2668-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2669-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2670-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/3316-2672-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/3316-2673-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2674-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2680-0x0000000000520000-0x00000000009DD000-memory.dmp

memory/4832-2681-0x0000000000520000-0x00000000009DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-14 21:27

Reported

2024-08-14 21:30

Platform

win11-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\fb3b92899b.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\fb3b92899b.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2144 set thread context of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 set thread context of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\47e31c7b4f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1836 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1836 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe
PID 1176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe
PID 1176 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2144 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1176 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\47e31c7b4f.exe
PID 1176 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\47e31c7b4f.exe
PID 1176 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\47e31c7b4f.exe
PID 1688 wrote to memory of 4912 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 4912 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 4912 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1688 wrote to memory of 1952 N/A C:\Users\Admin\1000037002\47e31c7b4f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1176 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe
PID 1176 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe
PID 1176 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe
PID 728 wrote to memory of 4628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 728 wrote to memory of 4628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4628 wrote to memory of 3764 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3764 wrote to memory of 4652 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe

"C:\Users\Admin\AppData\Local\Temp\66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\47e31c7b4f.exe

"C:\Users\Admin\1000037002\47e31c7b4f.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1808 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94bda5dd-d8b8-4609-9dfc-85c1d756630b} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68e9127f-5d10-4e4b-99dd-5d22db249de6} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3388 -childID 1 -isForBrowser -prefsHandle 3380 -prefMapHandle 3376 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ed737fb-15d0-4ee2-a8ab-74426695aa05} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3728 -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb103bbf-c45b-4cb5-bd76-01a6442eb434} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4364 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4376 -prefMapHandle 4452 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d615a503-eeff-43b5-a6af-22550fd3842c} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5528 -childID 3 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86b40fb5-6d15-40c7-af1a-a4e639bf2a60} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5760 -prefMapHandle 5756 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4043d237-de51-4337-9c9c-cbffc5b56dfd} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5948 -childID 5 -isForBrowser -prefsHandle 5520 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef14858e-8be1-421d-a027-313ee91098a0} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 6 -isForBrowser -prefsHandle 6260 -prefMapHandle 6256 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f42319e7-c428-44a2-a971-09e8e88e0dbc} 3764 "\\.\pipe\gecko-crash-server-pipe.3764" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 108.177.127.84:443 accounts.google.com tcp
NL 108.177.127.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
N/A 127.0.0.1:49844 tcp
NL 108.177.127.84:443 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com tcp
FR 142.250.201.174:443 play.google.com udp
FR 172.217.20.196:443 www.google.com tcp
N/A 127.0.0.1:49852 tcp
FR 172.217.20.196:443 www.google.com udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
FR 216.58.214.174:443 www3.l.google.com tcp
FR 216.58.214.174:443 www3.l.google.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
FR 142.250.201.174:443 play.google.com udp
FR 142.250.201.174:443 play.google.com tcp
NL 108.177.127.84:443 accounts.google.com udp
NL 108.177.127.84:443 accounts.google.com tcp

Files

memory/1836-0-0x0000000000740000-0x0000000000BFD000-memory.dmp

memory/1836-1-0x00000000773D6000-0x00000000773D8000-memory.dmp

memory/1836-2-0x0000000000741000-0x000000000076F000-memory.dmp

memory/1836-3-0x0000000000740000-0x0000000000BFD000-memory.dmp

memory/1836-4-0x0000000000740000-0x0000000000BFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 16a0efa2b6695032ed7c293ac609b548
SHA1 3c00ff7eb82cbb8439b3499f468000fd1ffaa12a
SHA256 66814d5a2ae9fca6c38713b0979c39c40603a1b188f5f46aad7a9c36f225a613
SHA512 cffae5effbf09dfed4625a28385578f1c27f6caa10f691406a3fa8eeed4d6749217d9e2ae806256aca1acbb597d37bf726bfa07901fdb64854a297a4da28ca26

memory/1836-17-0x0000000000740000-0x0000000000BFD000-memory.dmp

memory/1176-18-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-19-0x0000000000051000-0x000000000007F000-memory.dmp

memory/1176-20-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-21-0x0000000000050000-0x000000000050D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\fb3b92899b.exe

MD5 929e5d8768ad2142515bc380fb050012
SHA1 857996d4d7f7d75cf8f8839c6d51c53825286017
SHA256 2a7cb9a967e2842a517b585b92a07e0542d4a330e602b633439b71c9c386e9e1
SHA512 446eff6fe391873573879584d89cb75f15d0b6301c0eca21736647740bdbeb109171d95fc7b13bcf89826dc2dd838bf0d12bfd7d9608b5022f1e24028703f66f

memory/2144-40-0x0000000072D9E000-0x0000000072D9F000-memory.dmp

memory/2144-41-0x0000000000080000-0x00000000001D2000-memory.dmp

memory/728-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/728-47-0x0000000000400000-0x000000000052D000-memory.dmp

memory/728-45-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\47e31c7b4f.exe

MD5 7bdc4dd6037f1f49611576c723466332
SHA1 a7cbc0ee6529f261db5d164b3e502b36d2c8bcef
SHA256 f13cdb9370460f2909bf758ffd985178fe657a4ab0ef8f40ed6931637dda4b73
SHA512 a914b56d4c2c4a8dd1f8d2a8fdd8956741e1fc98836b5845e62a4737fba0a7ad854fba341ce94034b4a4c8f665e7a61ab8f1cd5a020da19207695909322fe637

memory/1688-66-0x0000000000BA0000-0x0000000000BF8000-memory.dmp

memory/1952-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1952-68-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\4684fd6485.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/1336-86-0x0000000000EC0000-0x0000000001103000-memory.dmp

memory/1336-87-0x0000000000EC0000-0x0000000001103000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\c877dbde-74cb-4894-8145-dc704df9f5b2

MD5 93f1240aafc3034cff7e9564fdbfa673
SHA1 4e9bc650c53eb7e4cfcb364aa091274e1d5832bf
SHA256 cd2439bd1741f7604da66dc6cb809600bd2e81aeba0d0e420cc00586e47108bf
SHA512 2303ae32ebd68f933d8a49af1811866c52f7e9cc5184d0f2cba1de45d5b83a94e7db7af8831c073cf6bdb801fe7a22154726c808db91033e18662ad709aeadab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\c258413f-5b23-49b1-b06f-1a0440461c6a

MD5 e8a06bcf9525eadb72d1894f48366eda
SHA1 233b6e4b99b373820e602890b4cb2e19cda56bc8
SHA256 892906d83ae0270a406fcc198bcf9a428df624fac0bddfcb1168d7e26fddfde3
SHA512 6aa8521df47cf123b773ee990bc696b3746526b3b70bb6ea967cbba8cf7ae82e2f7019cdaef1eba09e9468f18d0a9573417073f6106eadfd34b1d4a0d1f95e58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\7a793f33-d6df-4625-93ae-4dfdf772c511

MD5 a53c1349875020a864ccf385557a07ea
SHA1 2e4e4fca40a85d17fddba45266e94baf47fe2f54
SHA256 78e1e1165a6c95b2f364a7d7bac601564432c97772b911fcd22221457df3603a
SHA512 975a93619ecdeff08e56f5c209c43ffefc92545bb35fda9d25c827844f66e7d2c207dcfff2cffa0ece73e8e5c8d5cb905a275fafb7778b51723d2cb8e6736b0a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 4b58e591b7c6508fc68c3ef75b7c2001
SHA1 59c3db62dd69c0439d52c3d89d751fb5f82073c5
SHA256 982c57c37f86702ee08f7077b70b58c2385f89edfbb73663a154054d66ecc771
SHA512 722b2250301ebb4c4f788fb5d5f6f0a9fdd637a8ee79d63769a8b9b9fb8cc21dc0c32b28f9af3f5829ad734544148a02da58c57a386a42c292a766934ba68a24

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 cebb5d170719aab66bd113dcd40930ba
SHA1 22e5e103f9d0c2388e31b39a0a459f5818df6eb0
SHA256 ecb42b791dc2491aa29af3523405392fd9c93170cb4dd7404810c9b3c1f76ac0
SHA512 26b4d73c722fdd38dd3ddaf994bea8bec24a1f43ef82eebb01f4a3350e6b0b0dbdfd1a609a14a27bf66ab6613e5c3389b126afbee16ad767d5db3905016c72aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 a11472ebf4049c254b778527b389e213
SHA1 849a2476bd3bdcc5b37d3268808cb5494cd0d97d
SHA256 7b8121208c6ec9108b3f7d0054471e75cd771f8de95959c951a043301dad3956
SHA512 3bb5f4c10a05d56ffb996456109aaaeba6a364c90c8fb8ccc4f340a459d4b9b77eb69d419b04d6b490974741f890959bed7bf9a2ec9ce8b9feb034f53e742ad3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

MD5 306992ea792d2ccc784b5b69274e387b
SHA1 a88452434b930608c4f0420affc92b6a01df4c2c
SHA256 50a4ed572e7c72e21880cc61726350f871e8a10f88d3df4a118dd05f05edc0cc
SHA512 75ddd5331f380079c42afd6302809d539d76b9073367d6c25a2dbe1b43d0422de204ffe76259d278179a79d3b712570e42a9a96e4f73409a2a84b062d5d89989

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 b7bf3b99b95c576b09987aae8fa03571
SHA1 d6e2cb48c1ee2bf338de059b32d04ca685e2e33b
SHA256 9b172588c13468ac477a5f909e0ee4425d7bef9ed604ebd765118257c45cf93b
SHA512 eab952ce72bbe9dd907b1548596eabb9f8fc0521e89a5cab854e09dbdb233484b53cabc838dc77556051cf57f9aa9093f50d828097ae001f81790c9d67d0c62e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

MD5 875526c400fd756ea2bbaec05d20af9e
SHA1 15ada60924376c905b1ef04f6684414b23e6e4db
SHA256 a5764b3099ac6f7806312e3c35af3c7c94075e803f1e4b181cf36c2cdebe0d19
SHA512 a5afcfa816e381bb8bdafd8bb1b375b12336ff5ccda35749b4b033f96d589ddf19793d0cdd0cefb3bac5486e421f9ff2a2ec2b557d66eb11dc8c527f842d2932

memory/1176-427-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-436-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-445-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-448-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-449-0x0000000000050000-0x000000000050D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 e940434b9c1384720a0baf6bd3929668
SHA1 712e6562d8aee80f5b4938c932087037aceddf97
SHA256 24ccff057435e6a100f628f5078cc59d417072ecb9148705239aeb00529f1542
SHA512 d2cc34c3f2d7af8221497d9bd69fe52d1019c6879cbbe5a4b4425a2f8342e32ac47597c00956cd9016d874522dccec798fe6747f3c7710fb1f3d940f274307eb

memory/1176-465-0x0000000000050000-0x000000000050D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

MD5 d9d865238589e7510901aec1451a7fcd
SHA1 10df393c5a86774dc7728492c5d9aa69472f10e1
SHA256 9136b3b0e789f351feac951bbb1978acbf8eb33486799ba59dec9ebbc1330a3c
SHA512 297975272c61dce05b828f2bff92687ac8d922fdf0f3944fb162007cc97bc8c903caabfbf3e10ae36d0f9aebc004dc0f4b8d31934a63c79c12ff549a91f4d504

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 a6975cfb658e12d5339f714cad6e7202
SHA1 98be86ab51cefaeaf47426e5dfc83811cf845452
SHA256 f30d900c2bf8f1d64724937d1d666653f7e5b9057199e299a3fa0ce4795a8fa9
SHA512 f42ebb821c4d1b13a1b8a6543643ee467f44b6a1dc678a37ffd4489795c49180693fa9945f2901d13a9d84893d954991712fe4e514cc97baf4cacbd52fc5aa73

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 2a20a2dc4f5d7281930b3c4b36d5d8f5
SHA1 5fb7803a6c6b1f1709a3b3654badf26ed34bbeb7
SHA256 6fb4d39ae5373ed78ef2ce8525bed9f0121f27048bbc6e320f69903e2478836f
SHA512 f0f7a562c5218aa7498647f40e2eff170b430d023b069003800e256bfcc3faee1e88e5c6f7c8268d9443f82f262190f5ef4093b1e9fbe15dbd66426157115379

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

MD5 8f669d06d1c7a4feb701510982fd1c58
SHA1 6c5723637aa0c8082308085a0216845164aa9624
SHA256 4a528ce23d11ce38553a5e5949f1648a650195d52bbf4b3d41a9d1b7aa455ac1
SHA512 ac47094308f8f872287a5dab8fc4da954d921206a367c93f0a722567b035da1d5a60c4d5869d36fec2271f3ee3cd8176d25f791426a748d30ebc83868db67d98

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

MD5 f1900a3a31f22afc77911d20c07bb236
SHA1 a2f2acf1eab8ddcfe03527a38369748d4b6591cd
SHA256 7517d6f7463c56dcabd2f74b9aabc178744a43c8cafce39cacf72bc888b855c0
SHA512 f42036077b9836111ed23c90e962063e856e89c57c0e0242ea6135b3a9fa784a2279e123bd28f374862cc4ecf0c489fbb788ebf611ca9e8d3bd6c6580dc3282d

memory/1176-932-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2003-0x0000000000050000-0x000000000050D000-memory.dmp

memory/5760-2556-0x0000000000050000-0x000000000050D000-memory.dmp

memory/5760-2573-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2673-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2679-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2681-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2682-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2683-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2684-0x0000000000050000-0x000000000050D000-memory.dmp

memory/5232-2686-0x0000000000050000-0x000000000050D000-memory.dmp

memory/5232-2687-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2688-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2694-0x0000000000050000-0x000000000050D000-memory.dmp

memory/1176-2695-0x0000000000050000-0x000000000050D000-memory.dmp